Iptables

In: Computers and Technology

Submitted By ricardoramirez
Words 3008
Pages 13
1. Introducción

CentOS tiene una estructura interna de cortafuegos extremadamente poderosa, comúnmente nos referimos a ella como iptables pero más correctamente es iptables/netfilter. Iptables es el módulo para el espacio de usuario, la parte con la cual usted, el usuario, interactúa en la línea de comandos para entrar las reglas del cortafuegos en las tablas predefinidas. Netfilter es el módulo del núcleo, construido dentro del núcleo. Actualmente este es el que se encarga del filtrado.
Existen varias presentaciones GUI para iptables que le permiten a los usuarios adicionar o definir reglas basadas en un punto y con el clic del usuarios en la interface, pero estos a menudo carecen de la flexibilidad de usar la línea de comando y limitan la comprensión de los usuarios de lo que está pasando realmente. Vamos a aprender la interface de línea de comando de iptables.
Antes de que podamos enfrentarnos a iptables necesitamos tener al menos una comprensión básica de su forma de trabajo. Iptables usa el concepto de direcciones ip, protocolos (tcp, udp, icmp) y puertos. No necesitamos ser expertos en estos temas para comenzar (ya que podemos buscar cualquier información que necesitemos), pero ayuda tener una comprensión general.
Iptables ubica las reglas dentro de cadenas predefinidas (INPUT, OUTPUT y FORWARD) que son comprobadas contra cualquier tráfico de red (paquetes IP) relevantes para esas cadenas y una decisión es tomada sobre que hacer con cada paquete basado en el significado de esas reglas, por ejemplo aceptar o rechazar el paquete. Estas acciones son referidas como objetivos (targets), de las cuales las dos más usadas son DROP para rechazar un paquete o ACCEPT para permitir el paquete.

Cadenas

Existen tres cadenas predefinidas en la tabla de filtrado para las cuales podemos adicionar reglas para procesar los paquetes IP que pasan a través de las…...

Similar Documents

Security Enhanced Linux (Selinux), Chroot Jail, and Iptables

...Three of the most important types of Linux security technologies are Security Enhanced Linux (SELinux), chroot jail, and iptables. These security measures aide in the subversion of theft and malicious activity. We will discuss these items in depth to address who created them and for what reason. Along with how these technologies changed the operating system to enforce security, and the types of threats that these security systems are design to eliminate. Security Enhanced Linux was released in December of 2000 from the National Security Agency (NSA), under the GNU general public license. SELinux is not a Linux distribution; it is a set of kernel modifications and tools that can be added to a variety of Linux distributions. SELinux is currently a part of Fedora Core, and it is supported by Red Hat. Incarnations of SELinux packages are also available for Debian, SuSe, and Gentoo. Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible Mandatory Access Control (MAC). MAC provides an enhanced process to enforce the separation of information based on confidentiality and integrity requirements, as well as the confinement of damage that can be caused by malicious or flawed applications. The previous security structure, discretionary access control (DAC), allowed threats of tampering and avoidance of security mechanisms, because DAC gives the user ownership of files and allows users the ability to make policy......

Words: 848 - Pages: 4

320 Linux Admin

...their chroot directory. While this tool is great in keeping out most unwanted access, it is still susceptible to deliberate attempts to gain access to root. It does make it that much more difficult to exploit the network server for those not allowed. Iptables This upgrade to the ipchains firewall/NAT package was created by Netfilter to correct the package's faults. The iptables firewall package added increased filtering and inspection processes, better integration with the Linux kernel, better network address translation, system logging, and rate limiting. One of the biggest upgrades to the ipchains package was the addition of stateful packet inspection. This allowed iptables to keep track of each connection flowing through it, and anticipate the next action of some protocols. It also allowed iptables to filter packets by MAC address and TCP flags within the header. This prevents any distorted packets from gaining access to the server, regardless of their IP address. The added rate limiting feature was implemented to stop some types of DoS, Denial of Service, attacks. This type of attack is simply what it says, it disallows the targeted users from gaining access to the resources normally available to them. Iptables was adopted as the default firewall/NAT package of RedHat and Fedora Linux distributions. Like all firewalls, it will not stop everything and should not be your only means of protection against unauthorized access, especially when connecting to......

Words: 792 - Pages: 4

It302 Research Assignment 1

...Research Assignment 1 IT 302 Linux System Administration January 21, 2013 The purpose of this paper is to secure UNIX/Linux operating systems from unscrupulous people. It shall be focused on SELinux, chroot jail, and iptables. Each of the three focus areas will be detailed, with specific interest in the following. What organization is behind it and reason entity is involved. How each technology changes the operating system to enforce security, and if the security measure can be easily bypassed. And finally, describe the types of threats each of the technologies is designed to eliminate. Since no two UNIX-based operating system builds are exactly alike, it is important to note that each build may have its own inherent security flaws. SELinux was developed by The United States National Security Agency (NSA). The first version was made available to the open source development community under the GNU GPL on December 22, 2000. The software merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Network Associates, Red Hat, Secure Computing Corporation, Tresys Technology, and Trusted Computer Solutions. Experimental ports of the FLASK/TE implementation have been made available via the TrustedBSD Project for the FreeBSD and Darwin operating systems. The reason NSA is involved in this project is because this organization is responsible for carrying out the research and advanced development of......

Words: 900 - Pages: 4

It302 4.1 Research Assignment

...Linux Security Technologies There are many ways to have internet access these days. Coffee shops, libraries, airports and even public buses have free wireless access. With all these free accesses to the World Wide Web, there is also many potential ways for hackers to potentially get your personal information and use it for their gain. There are many ways to combat this situation by using several security measures with Linux programming, which the majority of the software is free. Some of those security technologies are SELinux, TCP Wrappers, IPtables and Chroot Jail to name a few. SELinux is a security enhancement to Linux which allows users and administrators more control over access control. Access can be constrained on such variables as which users and applications can access which resources. Was developed by the NSA in December of 2000. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications. SELinux also adds finer granularity to access controls. Instead of only being able to specify who can read, write or execute a file, for example, SELinux lets you specify who can unlink, append only, move a file and so on. SELinux allows you to specify access to many resources other than files as well,......

Words: 1350 - Pages: 6

Nfs (Network File System)

...NFS (Network File system) IPtables NFS protocol was developed by SUN microsystems using UNIX. NFS allows severs to share local directories with client systems. NFS runs on UNIX, DOS, Microsoft, VMS, Linux and more. NFS allows a client to access files on a remote server. The client user is usually unaware on the storage location on the file they are using. NFS reduces the storage needs used on the client and aids in the administration work load. With an NFS the file system stored on a remote server and the directory is shared over a local network. The server has a large capacity disk drive and device so that copies for file can be backed up with a problem. Diskless systems boot from the file server and load the system from a fileserver. Because a diskless client doesn’t require much to run a file server system you can use older machine as clients. Other options for NFS for Linux are netboot and dataless system. Netboot uses TFTP (Trivial File Transfer Protocol) that runs PXE (Preboot Execution Environment) a boot server for Intel. Dataless systems allow the user to store all files remotely but only Linux based applications can be kept on the disk. IPtables are composed of two components netfilter and IPtables. Netfilter a set of tables that hold rules the kernel uses to control network packet filtering. IPtables set up, maintain, and displays the rules stored by netfilter. Rules use one more categories matches or classified with single action. The rule that applies to......

Words: 387 - Pages: 2

Linux Security

...The Linux security technologies I researched are SELinux, chroot jail and iptables. SELinux (Security-Enhanced Linux) is a Linux feature that provides the mechanism for supporting access control security policies, including United States Department of Defense-style mandatory access controls, through the use of Linux Security Modules (LSM) in the Linux kernel. It is not a Linux distribution, but rather a set of kernel modifications and user-space tools that can be added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement. The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency. The United States National Security Agency (NSA), the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000. The software merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003. Other significant contributors include Network Associates, Red Hat, Secure Computing Corporation, Tresys Technology, and Trusted Computer Solutions. Experimental ports of the FLASK/TE implementation have been made available via the TrustedBSD Project for the FreeBSD and Darwin operating systems. It provides an enhanced mechanism to enforce the separation of information based on......

Words: 1300 - Pages: 6

Unit 6 Discussion

...linked to the wide area network (WAN). This card’s IP address is 192.168.1.5. The other interface card has the IP address 172.16.1.5 and is linked to the LAN. Which firewall rules should be written using iptables for the server hosting Samba? Discuss and suggest firewall rules to allow administrators to remotely manage the server using SSH. Use the concept of “default deny” when designing the rules. Participate in this discussion by engaging in a meaningful debate regarding the firewall rules that can be written using iptables. You must defend your choices with a valid rationale. At the end of the discussion, write a summary of your learning from the discussion and submit it to your instructor. Required Resources None Submission Requirements <!--[if !supportLists]--> <!--[endif]-->Format: Microsoft Word <!--[if !supportLists]--> <!--[endif]-->Font: Arial, Size 12, Double-Space <!--[if !supportLists]--> <!--[endif]-->Citation Style: Chicago Manual of Style <!--[if !supportLists]--> <!--[endif]-->Length: 1–2 pages <!--[if !supportLists]--> <!--[endif]-->Due By:Unit 6 Self-Assessment Checklist <!--[if !supportLists]--> <!--[endif]-->I have provided suitable iptables rules for the server hosting Samba using the concept of “default deny.” * I have explained key points of how a bastion host should allow administrators to access Samba and SSH for remotely......

Words: 922 - Pages: 4

Nt 1430 Unit 7 Lab 2 Chap 25

...causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. /usr/share/system-config-firewall/fw_gui.py:2369: GtkWarning: Attempting to store changes into `/root/.local/share/recently-used.xbel', but failed: Failed to create file '/root/.local/share/recently-used.xbel.JZ4TOX': No such file or directory gtk.main() /usr/share/system-config-firewall/fw_gui.py:2369: GtkWarning: Attempting to set the permissions of `/root/.local/share/recently-used.xbel', but failed: No such file or directory gtk.main() [root@localhost nate]# [root@localhost nate]# cat/etc/sysconfig/iptables bash: cat/etc/sysconfig/iptables: No such file or directory [root@localhost nate]# iptables-L bash: iptables-L: command not found... [root@localhost nate]# Chapter 25, Unit 7, Lab 1 (NT 1430,U2,GA1) Nathaniel Hayes, Jr. Enterprise Linux-NT 1430 November 5, 2014 Professor Rahming [nate@localhost ~]$ su Password: [root@localhost nate]# system-config-firewall (system-config-firewall:2395): GVFS-RemoteVolumeMonitor-WARNING **: cannot connect to the session bus: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. (system-config-firewall:2395):......

Words: 712 - Pages: 3

It-302-Linux System Administration

...Computer security is necessity because of the many ways that your personal information. Millions of people each year are victims of hacked computers and accounts which lead to credit card theft and identity theft. This paper will explain a few of Unix/Linux’s security operations such as SELinux, Chroot, and IPtables. Security-Enhanced Linux is a Linux feature that provides a mechanism for supporting access control security policies, including United States Department of Defense style mandatory access controls. These functions were run through the Linux Security Modules in the Linux kernel. It is not a Linux distribution, but rather a set of modifications that can be applied to Unix-like operating system kernels, such as Linux and that of BSD. SELinux was developed by the United States National Security Agency, it was released to the open source development community under the GNU GPL on December 22, 2000. SELinux users and roles are not related to the actual system users and roles. For every current user or process, SELinux assigns a three string context consisting of a role, user name, and domain. This system is more flexible than normally required: as a rule, most of the real users share the same SELinux username, and all access control is managed through the third tag, the domain. Circumstance for when the user is allowed to get into a certain domain must be configured in the policies. The command runcon allows for the launching of a process into an explicitly specified......

Words: 907 - Pages: 4

Information System Security

...default root directory, which is /. Chroot is very useful for basic preventative security, but it is not designed to prevent deliberate attempts to gain root access and attack a server. Chroot helps tremendously to at least make it more difficult to exploit your dedicated server http://www.serverschool.com/dedicated-servers iptables iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables for Ethernet frames. Iptables requires elevated privileges to operate and must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page, which can be opened using man iptables when installed. It may also be found in /sbin/iptables, but since iptables is more like a service rather than an "essential binary", the preferred location remains /usr/sbin. iptables is also commonly used to inclusively refer to the kernel-level components. x_tables is the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; because of that, Xtables is more or less used to refer to the entire firewall (v4,v6,arp,eb)......

Words: 1522 - Pages: 7

It 302 Linux Security

...Linux Security Craig Van Doeselaar ITT Technical Institute IT 302 – Linux Matthew Gort April 4, 2012 Linux handles security through three basic concepts, SELinux, chroot jail and iptables. Each concept is designed to target a specific need in the security spectrum. SELinux works at the kernel level and enforces mandatory access control, chroot jail works within the file system and iptables handles routing of data. In the following paragraphs I will discuss some details of each discipline. SELinux can be traced back to the National Security Agency (NSA) when they got involved in trying to create a secure architecture. They released there research to the open source community which picked it up and continues to make improvements to its basic architecture. SELinux is designed to work at the kernel level of an operating system to enforce mandatory access control policies that confine users and servers to the minimum amount of privilege they require to do their job. The concept was to lock everything down by default and selectively allow access to applications as needed. This prevented security loop holes from remaining open because the average user wouldn’t know what to have running and what to have shut down. This way as users attempt to use an application SELinux will deny the attempt unless you can authorize its use. This gave administrators better security on their workstations from inadvertent malicious use or outright......

Words: 769 - Pages: 4

Reserch Assignment 2.1

... Research Assignment 2.1 Kyle McGraw ITT Technical Institute IT302 Linux Mr. Gort April 14, 2012 In this paper I will go over 3 different types of Linux security technologies those follow with SELinux, chroot jail, and iptables. These technologies aid in prevention of identity theft. I will help you understand what they are and who designed them and what good they are for you to use them. In the next paragraphs you will be able to decide which one is for you and more about the use of them. Under the GPL in late 2000 SElinux was released from the National Security Agency’s Office of Information Assurance. More recently it was developed by the open source community with the help of NSA. SElinux currently ships as a part of Fedora Core, and it’s supported by Red Hat. Also there are packages that exist for Debian, SuSe, and Gentoo although at this time these were unsupported by anyone. SElinux is based on the concept of Mandatory Access Control. Under MAC, administrators control every interaction on the software of the system. A least privilege concept is used, by default applications and users have no rights, because all rights have to be granted by an administrator because of the system’s security policy. Under DAC, the files are owned by the user also that user has full control over them. If an attacker penetrates that user’s account they can do whatever with the files owned by that user. Standard UNIX permissions are still present on the system, and will be consulted......

Words: 938 - Pages: 4

Linux Security Technology

... 2. Iptables First introduced in 01 Sep 2002 netfilter/iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames. Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables. iptables requires elevated privileges to operate and must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page which can be opened using man iptables when installed. It may also be found in /sbin/iptables, but since iptables is more like a service rather than an "essential binary", the preferred location remains /usr/sbin. iptables is also commonly used to inclusively refer to the kernel-level components. x_tables is the name of the kernel module carrying the shared code portion used by all four modules that also provides the API used for extensions; subsequently, Xtables is more or less used to refer to the entire firewall (v4,v6,arp,eb) architecture. There are numerous third-party software for iptables that...

Words: 1860 - Pages: 8

Linux Technology

...Reserch Assignment 2.1 Research Assignment 2.1 Kyle McGraw ITT Technical Institute IT302 Linux Mr. Gort April 14, 2012 In this paper I will go over 3 different types of Linux security technologies those follow with SELinux, chroot jail, and iptables. These technologies aid in prevention of identity theft. I will help you understand what they are and who designed them and what good they are for you to use them. In the next paragraphs you will be able to decide which one is for you and more about the use of them. Under the GPL in late 2000 SElinux was released from the National Security Agency’s Office of Information Assurance. More recently it was developed by the open source community with the help of NSA. SElinux currently ships as a part of Fedora Core, and it’s supported by Red Hat. Also there are packages that exist for Debian, SuSe, and Gentoo although at this time these were unsupported by anyone. SElinux is based on the concept of Mandatory Access Control. Under MAC, administrators control every interaction on the software of the system. A least privilege concept is used, by default applications and users have no rights, because all rights have to be granted by an administrator because of the system’s security policy. Under DAC, the files are owned by the user also that user has full control over them. If an attacker penetrates that user’s account they can do whatever with the files owned by that user. Standard UNIX permissions are still present on the system...

Words: 940 - Pages: 4

Linux Security Technologies

...George McShane Research Paper 07/13/2012 Linux Security Technologies In today’s world there are many ways to gain access to the internet. You can go to your local library, a Starbucks, any airport, or even a McDonald’s. With all of these ways to have free access to the Web, the opportunity for hacker’s to get to your personal information is at an all time high. Linux programming has many ways to combat this situation with security technologies such as SELinux, chroot jail, iptables, and virtual private networks (VPN’s) to name a few. The basics of Linux security start with Discretionary Access Control, which is based by users and groups. The process starts with a user, who has access to anything that any other user can have access to. At first, it may seem great to be able to have that access, but the security in it is not so great. The US National Security Agency (NSA) developed the SELinux (Security Enhanced Linux) to combat the lack of strong security. (National Security Agency Central Security Service, 2009) Other organizations behind SELinux include the Network Associate Laboratories (NAI) labs which implemented several additional kernel mandatory access controls, developed the example security policy configuration, ported to the Linux 2.4 kernel, contributed to the development of the Linux Security Modules kernel patch, and adapted the SELinux prototype to LSM. The MITRE Corporation which enhanced several utilities to be SELinux-aware, and developed......

Words: 1207 - Pages: 5